This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

XDR 7.6.1 seems to ignore exception

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

XDR 7.6.1 seems to ignore exception

Faber
L0 Member

‎01-25-2022 01:31 AM - edited ‎01-25-2022 01:33 AM

Hi, Cortex XDR Local Analysis Malware module stops a process called "ClientConsole.exe" (I guess it's a false positive)

 

I've created a global exception for that issue and checked-in client but XDR still blocks this executable.

 

In client log I read these rows:

 

2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'

 

Why XDR ignores my exceptions ????

Faber
1 person had this problem.
0 Likes Likes
1 REPLY 1

jtalton
L3 Networker

‎06-10-2022 01:46 PM

Hi Faber, 

 

This may be due to this process not being protected by a module. By default, your exploit security profile protects endpoints from attack techniques that target specific processes. Each exploit protection capability protects a different set of processes that Palo Alto Networks researchers determine are susceptible to attack. If there are no protection modules enabled on the process, no is exception needed. Please reference Processes Protected by Exploit Security Policy (paloaltonetworks.com) for more details.

 

There are other modules where Process Exceptions will still apply, like Anti-Ransomware Protection, Child Process Protection, but for all Exploit Prevention Modules the process exception makes no difference for an unprotected process. 

 

If you're investigation has determined the process is benign, you can add the hash to the Allow List (*best practice is to whitelist by hash) and allow it to be executed on all your endpoints regardless of the WildFire or local analysis verdict. 

 

In the UI, Go to Incident Response, Response, Action Center, + New Action

jtalton_0-1654893682835.png

Enter the SHA-256 hash of the file and click jtalton_1-1654893830633.png

 

You can add up to 100 hashes at once. 
Click Next.
Review the summary and click Done.

 

Reference Manage File Execution (paloaltonetworks.com)

 

Thanks

 

If you found this answer helpful, please select Accept as Solution.
  • 1775 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks